Generic Black-Box End-to-End Attack Against State of the Art API Call Based Malware Classifiers

Rosenberg, Ishai; Shabtai, Asaf; Rokach, Lior; Elovici, Yuval

doi:10.1007/978-3-030-00470-5_23

Cited by 163 publications

(178 citation statements)

References 15 publications

Supporting

Mentioning

170

Contrasting

Order By: Relevance

“…Due to the relative simplicity of the PDF file structure, it is easy to alter the file without changing the original content. Rosenberg et al [37] proposed a black-box attack against machine learning based malware detectors in Windows OS based on analysing API calls. The attack algorithm iteratively added no-op system calls (which are extracted from benign softwares) to the binary code.…”

Section: A Adversarial Attacks To Malware Detectionmentioning

confidence: 99%

Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection

Chen

Wang

et al. 2020

IEEE Trans.Inform.Forensic Secur.

224

142

View full text Add to dashboard Cite

Machine learning based solutions have been successfully employed for automatic detection of malware in Android applications. However, as is known, machine learning models lack robustness to adversarial examples, which are crafted by adding minor, yet carefully chosen, perturbations to the normal inputs. So far, the adversarial examples can only deceive Android malware detectors that rely on syntactic features (e.g., requested permissions, specific API calls, etc.), and the perturbations can only be implemented by simply modifying Android manifest. While recent Android malware detectors rely more on semantic features from Dalvik bytecode rather than manifest, existing attacking/defending methods are no longer effective due to the rising challenge in adding perturbations to Dalvik bytecode without affecting their original functionality.In this paper, we introduce a new highly-effective attack that generates adversarial examples of Android malware and evades being detected by the current models. To this end, we propose a method of applying optimal perturbations onto Android APK using a substitute model (i.e., a Deep Neural Network). Based on the transferability concept, the perturbations that successfully deceive the substitute model are likely to deceive the original models as well (e.g., Support Vector Machine in Drebin or Random Forest in MaMaDroid). We develop an automated tool to generate the adversarial examples without human intervention to apply the attacks. In contrast to existing works, the adversarial examples crafted by our method can also deceive recent machine learning based detectors that rely on semantic features such as control-flow-graph. The perturbations can also be implemented directly onto APK's Dalvik bytecode rather than Android manifest to evade from recent detectors. We evaluated the proposed manipulation methods for adversarial examples by using the same datasets that Drebin and MaMadroid (5879 malware examples) used. Our results show that, the malware detection rates decreased from 96% to 1% in MaMaDroid, and from 97% to 1% in Drebin, with just a small distortion generated by our adversarial examples manipulation method.

show abstract

Section: A Adversarial Attacks To Malware Detectionmentioning

confidence: 99%

Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection

Chen

Wang

et al. 2020

IEEE Trans.Inform.Forensic Secur.

224

142

View full text Add to dashboard Cite

show abstract

“…Specifically, adversarial examples are generated from benign samples by adding small perturbation that is imperceptible to human eyes, i.e., X * = X + δ X and F (X * ) = Y * , where X * is an adversarial example, δ X is the perturbation, and Y * is the adversarial label. Prior works [9], [10] have shown that adversarial examples are detrimental to many systems in the real world. For instance, under adversarial example attacks, the automatic driving system may take a stop sign as an acceleration sign [9] and malware can evade the detection systems [10].…”

Section: Neural Network and Adversarial Examplesmentioning

confidence: 99%

“…Prior works [9], [10] have shown that adversarial examples are detrimental to many systems in the real world. For instance, under adversarial example attacks, the automatic driving system may take a stop sign as an acceleration sign [9] and malware can evade the detection systems [10]. Depending on whether there is a specified target for misclassification, adversarial example attacks can be categorized into two types, i.e., targeted and untargeted attacks.…”

Section: Neural Network and Adversarial Examplesmentioning

confidence: 99%

Adversarial Examples Versus Cloud-based Detectors: A Black-box Empirical Study

Han

et al. 2019

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Deep learning has been broadly leveraged by major cloud providers, such as Google, AWS and Baidu, to offer various computer vision related services including image classification, object identification, illegal image detection, etc. While recent works extensively demonstrated that deep learning classification models are vulnerable to adversarial examples, cloud-based image detection models, which are more complicated than classifiers, may also have similar security concern but not get enough attention yet. In this paper, we mainly focus on the security issues of real-world cloud-based image detectors. Specifically, (1) based on effective semantic segmentation, we propose four attacks to generate semantics-aware adversarial examples via only interacting with black-box APIs; and (2) we make the first attempt to conduct an extensive empirical study of black-box attacks against real-world cloud-based image detectors. Through the comprehensive evaluations on five major cloud platforms: AWS, Azure, Google Cloud, Baidu Cloud, and Alibaba Cloud, we demonstrate that our image processing based attacks can reach a success rate of approximately 100%, and the semantic segmentation based attacks have a success rate over 90% among different detection services, such as violence, politician, and pornography detection. We also proposed several possible defense strategies for these security challenges in the real-life situation.

show abstract

“…2. For example, during the training stage [10], [11], dataset [12], tools and architecture/model are vulnerable to security attacks, such as adding parallel layers or neurons [13], [14], to perform security attacks [15], [16]. Similarly, during the hardware implementation and inference stages, computational hardware and real-time dataset can be exploited to perform security attacks [17], [18].…”

Section: A Security Threats In Dnn Modulesmentioning

confidence: 99%

TrISec: Training Data-Unaware Imperceptible Security Attacks on Deep Neural Networks

Khalid

Hanif

Rehman

et al. 2019

2019 IEEE 25th International Symposium on on-Line Testing and Robust System Design (IOLTS)

View full text Add to dashboard Cite

Most of the data manipulation attacks on deep neural networks (DNNs) during the training stage introduce a perceptible noise that can be catered by preprocessing during inference. Therefore, data poisoning attacks during inference (e.g., adversarial attacks) are becoming more popular. However, they do not consider the imperceptibility factor in their optimization algorithms, and can be detected by correlation and structural testing. Therefore, in this paper, we propose a novel methodology which automatically generates imperceptible attack images by using the back-propagation algorithm on pretrained DNNs. We present a case study on traffic sign detection using the VGGNet and the German Traffic Sign Recognition Benchmarks dataset in an autonomous driving use case. Our results demonstrate that the generated attack images successfully perform misclassification while remaining imperceptible in both "subjective" and "objective" quality tests.

show abstract

Generic Black-Box End-to-End Attack Against State of the Art API Call Based Malware Classifiers

Cited by 163 publications

References 15 publications

Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection

Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection

Adversarial Examples Versus Cloud-based Detectors: A Black-box Empirical Study

TrISec: Training Data-Unaware Imperceptible Security Attacks on Deep Neural Networks

Contact Info

Product

Resources

About